Risk assessment documentation should be reviewed to verify annual execution and triggers for significant changes. Which is true?

• A. Risk assessment should be reviewed to verify annual execution and changes triggers
• B. It is sufficient to conduct risk assessment once and never review
• C. Reviews are optional
• D. Reviews should be conducted only during external audits

Answer: (A)

Regular ongoing risk assessment reviews keep the organization aligned with current threats and the evolving environment. The statement is true because risk assessments should be checked to confirm they’re performed at least annually and that any significant changes trigger an update to the assessment. This ensures that risk levels, controls, and remediation plans stay current when things like new systems, expanded cardholder data scope, changes to processes, or new vendors occur. Treating risk reviews as optional, as a one-time task, or only happening during external audits would miss changes in the environment and could leave gaps in how risks are identified and mitigated.